Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Steven Schwartz - The Cyber Steve
133 Plays1 year ago
In Episode 3 of The InsurSec Podcast, we were joined by Steven Schwartz, aka "The Cyber Steve" aka "The Cyber Risk Quantification Stud" (my favorite), to explore the evolution of cyber insurance and the future of cyber underwriting. With over 15 years in the cyber ecosystem, Steve brings invaluable perspective.
He recounts his journey into insurance and the very early days of standalone cyber. We discuss the pros and cons of today's shotgun application process and the need for more standardization. Steve explains how true inside-out data can provide unparalleled risk insights versus outside-in scanning.
Steve breaks down how Safe Security is quantifying cyber risk through millions of security signals and turning bits into dollars. We examine the challenges of risk modeling and Steve offers a vision for the next generation of underwriting leveraging transparency, automation, and verified security frameworks.
Steve provides practical advice on incrementally improving cyber risk management and the incentives insurers can provide. With Safe, insurers can truly reward insureds for their investments in cybersecurity.
This was a conversation for the books.
Find Steve on LinkedIn or at [email protected]
Recommended
Transcript
Introduction to Cyber Steve
00:00:19
Speaker
Welcome to the ensure sec podcast. Uh, today's guests, we have, he goes by many things. Cyber Steve inside out underwriting, aficionado and evangelist cyber risk quantification. Stud. I don't, I don't know. He goes by a lot of things, but he also goes by. I like cyber risk quantification stud. That's what my wife calls me.
00:00:48
Speaker
Awesome. Welcome to the show, Steve. We keep things pretty unscripted and organic here, so looking forward to having some conversations because we talk a lot and I've always wanted to invite more people on because we get pretty nerdy. If you're into anything cyber insurance, you would enjoy the conversations that we have. Fortunately, we get to invite people into this one.
00:01:13
Speaker
Hey, when, when, when three of us are getting together on a Friday afternoon, it's in this regard, it's fair to say where we're pretty nerdy. Right. And, uh, in the, in this topic, Hey, you forgot the cyber Steve. I mean, the main like title of, Oh, did I forget it? Cyber Steve.
00:01:38
Speaker
Yes. It was, I don't know, maybe like eight years now.
Steve's Journey into Insurance
00:01:46
Speaker
I walked into a room with, you know, a team I was working with and someone just threw out, they're like, oh, you know what? Like you need to be the Cyber C's.
00:01:55
Speaker
Um, and it just, it just stuck. Now I will say there was a cyber Steve on Twitter whose account was banned for some, uh, bad activity. So, uh, just, you know, I had to make sure the world knew that that was not me. Yeah. Your cyber underscore Steve. There's a very big picture. It's the cyber Steve, not cyber Steve. Yeah.
00:02:25
Speaker
Awesome. Awesome. Well, I think, you know, one thing that I enjoy about getting to have people on the podcast is to hear kind of their background, their story. And, you know, everybody in this industry has, uh, there's like parts of it that are like super similar and parts of it that are, you know, everybody's unique. Um, so, I mean, you could take us back as far as you want to go. I mean, two people fall in love. Like we could go that far back or, you know, I keep it, you know, you get the creative license there.
00:02:54
Speaker
Yeah, no, I am. So yeah, my parents got married. I was born and by about four, I knew I wanted to be in the insurance industry. And, uh, at which point they, they recommend they, they sent me to go get some, uh, some help.
00:03:14
Speaker
That's concerning. I've had an interesting and unique path, I'd say. I started my career at a healthcare data analytics startup doing the claims analytics for the likes of Aetna, various across brands.
00:03:34
Speaker
Was a great experience was employee number 14 and the company had a nine figure exit with 150 employees, five years later. So really got to just see a I didn't really know or appreciate it at the time Reno just, I was still quasi working quasi quasi in school when I started, you know, just graduating and
00:03:55
Speaker
but really got to see the power of that culture, you know, of a good culture and how that, the success that that leads to, right? When people actually want to be, you know, want to show up where, where they're working, feel like they're part of a team, part of the family. And then I got deeply immersed into the insurance industry.
00:04:13
Speaker
But I had a unique opportunity to join, if not least, it's one of the world's largest independent risk management and insurance consulting firms, where we manage the insurance programs for Fortune 1000 entities or companies paying at least a million dollars a year in insurance.
00:04:33
Speaker
And what was really interesting to me about the opportunity was really a couple of things. And I'll never forget, first meeting my mentor and the president, he was like, a couple of things.
Mentorship and Industry Insights
00:04:47
Speaker
A, you're what, 24, 25 years old. If you try to go talk to a public company CFO about finance, they're going to run circles around you.
00:04:59
Speaker
Right. But this is a topic that they don't they don't know a lot of them don't care to know. Right. And but without insurance, the world stops. Right. And and I think we lose sight of that. Right. We're not having this conversation. We don't have insurance on these buildings and, you know, and commercially.
00:05:17
Speaker
And then further, when I really got to understand exactly what we were doing, where we were really just exploiting what is a flawed distribution model. It's not a bash on brokers at all, but unfortunately, insurance isn't one inherent conflict of interest. As a broker, I represent myself, the end customer, and the insurance company.
00:05:40
Speaker
Um, right. And, uh, and where, again, it's a function of the industry. It's not a bash on brokers, but we're driven to sell a policy, right? We get paid to sell a policy, not to provide strategic advice. And that of course opens up things like, well, you know, uh, obviously I make more money if I sell a $100,000 versus an $80,000 policy, right. And hopefully every, everybody's advisor and broker is doing the right thing by the customer. But, um,
00:06:09
Speaker
It was very illuminating. On average, we always focused on asset protection. We would never align to premium savings because you'll forget about the 500 grand we saved you and there's a $5 million claim that's not covered.
00:06:24
Speaker
So always, number one priority was on enhancing their asset protection, but we would drive this competitive negotiation process whereby we had several brokers and carriers competing for each line of business with different markets assigned accordingly.
00:06:42
Speaker
And on average, we delivered 20 to 40% premium savings year one, right? Because we were just like that perpetual pebble in the shoe. For Broker, we, candidly, didn't get too many Christmas cards from the Brokers community, but we definitely, there were definitely a few Brokers who did quite well with us.
Focus on Cyber Insurance
00:07:04
Speaker
And in that regard, and sorry for going a little long there, but around 2013, I started to dive deep into in the cyber insurance, did a lot of work at the time, you know, with Beasley and drafting one of their earlier standalone forms or high compliance plus form.
00:07:26
Speaker
And then ultimately, I started my own consulting firm recognizing this need to bridge the gap between cyber risk management and cyber insurance. In that, I got pulled into a variety of interesting rabbit holes in that journey. I ended up ultimately spending two years working with venture capital funds and advising their ensure tech.
00:07:50
Speaker
and cybersecurity portfolio member CEOs. Really, you know, and on the InsureTech side, which you guys would appreciate, right, is if we look back, you know, five, six years when InsureTech, you know, just became a word, I actually at one point was on that top InsureTech influencers list, but then people woke up and they were like, why is this guy on the list?
00:08:16
Speaker
We were seeing a lot of brilliant solutions that were addressing micro problems within insurance because you had engineers who were creating things I could never dream of, but as you guys know, insurance is not an industry you can just read about in a book versus living within it.
00:08:38
Speaker
Um, so found a unique opportunity, I would say, uh, you know, just given the market timing there and, um, ultimately, uh, ended up joining one of my customers in that regard who was, uh, a cyber risk quantification company had quoted out of Tel Aviv by TJ. Uh, where I led in there, the overall strategy and played a large role in the company's funding. We got acquired by MasterCard in June of 2020. Uh, but also led, you know, led the company's, um, yeah, you know,
00:09:08
Speaker
pivot to an insurance practice. And around this same notion, which I'll get to where I'm at today on this need to drive more inside out, quantitative based underwriting and the assessment and relationship to the end customer.
00:09:26
Speaker
And ultimately, I feel very fortunate that I got introduced to Saket and the team at Safe Security. And when I learned what they were doing and got some additional perspectives, I think these guys might really be the ones to sort of correct the cyber value at risk.
00:09:48
Speaker
And, you know, spent a few months really mapping out, you know, the opportunity and go-to-market strategy together. And, you know, glad to say I'm coming up on two years in about a month and, you know, have been, as you guys know, partnering across the insurance ecosystem and, you know, building on what we're providing to core enterprises in this regard.
00:10:14
Speaker
Yeah, that's a really good breakdown of everything. I didn't know about the independent brokerage side that you were doing.
InsureTech and Personal Experiences
00:10:27
Speaker
And then also, I didn't know about the consulting thing either and being on the insurance deck.
00:10:32
Speaker
That's awesome. I mean, I guess you were basically involved in InsureTech before it was even InsureTech, right? Yeah. As it became, when it emerged out of FinTech to actually become its own category, and I'll never forget this because it was
00:10:54
Speaker
You know, I guess really my star, but also, you know, the most terrifying experience in my life. I think it was the 2017 InsurTech Connect. You know, I had a, it was the Friday before I get it. I'm getting an email to this, you know, panel that's been, this email thread has been going on for like a month and a half.
00:11:15
Speaker
Uh, and I just, I get this out of nowhere. So I ping them like, Hey, am I supposed to be on this email thread? Uh, and they're like, yeah, you know, someone suggested you should, uh, you should speak. So you're like, you're on this panel. Um, which like a heads up would have been cool, but you know, it was a great opportunity, right? You know, to, uh, you know, I was still right. Do it, do my own thing. And, uh, and again, ensure tech, right. You know, 2017 and.
00:11:42
Speaker
Um, and, uh, yeah, so that though, you know, unfortunately was the year, uh, during the Vegas shooting. So I flew out on Sunday, Sunday night. I landed in Vegas. Uh, the conference was at Caesars, which was sold out. So I was at the MGM, which is the hotel right next to where, where that occurred. And about 30 minutes after dropping my luggage down, I saw, um, you know, I'm down, down at one of the restaurants.
00:12:10
Speaker
See this family run past me, grab their grandmother like we need to get out of here like right now, turn back around and I just see thousands of people printing towards me. Um, and only context I got is there's people in here with machine guns.
00:12:25
Speaker
could uh could hear every round like I could you not have the second round I thought somebody was 100 feet behind me just like sprinting for my life and uh and yeah and then on to ensure tech connect the next day um so it was uh
00:12:41
Speaker
Yeah, so I don't know why I went into that story, but as part of my I guess that was part of my on ramp into into the whole insured tech space, but trying to say the last the last conferences in Vegas have been much better. That fucking wild. Well, yeah, my hair started to go gray there. Seriously. Are you still waking up in the middle of the night screaming or?
00:13:11
Speaker
Like last time I was in New York, I mean, it was a couple of years ago at this point, but I heard, I don't know if like an actor or somebody walked by this group of younger girls who just all started screaming and going nuts. I was just ready to bowl. I was like, I'm ready to go.
00:13:28
Speaker
Yeah. That's, I've never talked to anybody that was there for that. Yeah. And that's, and I'll leave it on this so we can, we can get, you know, talk all things cyber, but, um, there were two people in my elevator who were actually at the concert. Just had to tell him blood, like, and thought there were multiple. It was, it was, it was terrible. That is wild. That is wild.
00:13:57
Speaker
So then I was like, yeah, I should stick to cyber stuff. This physical world, this is scary. That is wild. But you, I mean, it's a good point. You were really early.
00:14:14
Speaker
And I mean, like I've talked to people that like I talked to one guy and he's based out of London and he told me, you know, a lot of people have claimed to write the first cyber policy. A lot of people claim it. He was like, I started writing cyber back in like 98.
00:14:31
Speaker
or 99, whenever, like really at the beginning. But most people that I talk to really talk about 2017 as being kind of really a turning point for where cyber became, not like just this luxury kind of specialty line, but more of like really- That just were lost laptops. Yeah, exactly. That used to be the number one claim was a lost laptop.
00:15:00
Speaker
So you were there really from the beginning or even before that. Kind of take us through
00:15:10
Speaker
and we'll get to kind of where we're at now, but kind of take us through the changes that you've seen since, you know, when you first, did you say 2013 is when you kind of got it?
Evolution of Cyber Insurance Market
00:15:20
Speaker
Yeah, I like to think of it, Abe, as I used this for easy numbers, 2015 and 2025, like where we were, and to your point, right, when the market really started to take off, we saw the introduction of the outside-in scans, right, and those started to proliferate.
00:15:37
Speaker
You know, what I saw for a while and, you know, even a little bit, you know, in a very, very near term that's gone on in the last quarter or so, but it was really this arms race for market share for so many years, right? You know, come day 2015 is when, you know, the markets, you know, really started 2017 and then, you know, had, you know, force multiplied by 4X.
00:16:04
Speaker
Um, and you had so like, you know, a new carrier every week entering the market, you know, offering, you know, one, two, three million in limits, um, for less and less premium asking less and less questions, right. To, you know, to the point where you can get, you know, two, three million in coverage for 2000 bucks. Just based on what's your company name, revenue record count, and have you had a breach that doesn't tell us anything about risk.
00:16:34
Speaker
Um, right. And, um, and, and, and I think we, as a market learned, learned that to a degree, right. As, as we felt the pain, you know, from 2020, you know, uh, and, and the next next couple, uh, year or two, um,
00:16:53
Speaker
And looking, it's also specific to which market segment we're looking at. And there are definitely some overarching trends throughout, but a much more transactional process can solve a lot more for your $2 million versus your $2 billion dollar entity.
00:17:13
Speaker
And what I think has gone on now, when I think about some of the evolution and look, there's obviously been a ton of evolution in coverage. There's the increasing interconnectivity between techie and cyber coverage.
00:17:30
Speaker
Um, where, you know, where I think the industry where I wish the industry has done a better job was, you know, at least having some degree of standardization, you know, in terms of the data we're capturing and, um, you know, even in some of the policy forms, it doesn't, you know, I'm curious what you guys think, but does, does it help your lives that every carrier has in a different application asking different.
00:17:57
Speaker
questions, asking the same questions in a slightly different way and a totally different policy form is brutal. And like, think about, uh, not only that, but
00:18:09
Speaker
Uh, the way they're asking it too is it's, it's very difficult answer. It's not a true, it's very, it's like, yeah, we kind of, yes, no. Yeah. Yeah. We kind of do that, but it's really hard for me to answer this accurately. Like, I don't know if I'm, am I falsely stating something? I don't know. Like.
00:18:28
Speaker
Well, to your point, I used to love, you know, kidding around that asking on an application, do you have a firewall? Might as well ask, do you like a firewall? It doesn't tell it like, you know, like to your point, yeah, I may have a firewall on some portion of my network. Right. But we don't get any context. Is it config properly? You know, and to what degree is it deployed across the organization?
00:18:56
Speaker
Um, and, and we've seen that right with MSA and, and, uh, you know, the litigation that's ensued be because of, uh, because of the ambiguity it creates. Right. Uh, I think what, what's gone on is right. We so many, so many people just saw, right. This high growth opportunity and line of business within cyber, right. And figured out, okay, what's, what's the quickest, quickest way that we can, you know, at least have some informed perspective. Um, and look, if, uh,
00:19:26
Speaker
And we're getting to a place now where we can actually have confidence in our ability to quantify cyber risk and whatnot. But if there is one certainty in quantifying cyber risk, there's absolutely no certainties. It's sort of who can guess the best. And there's been a lot of development when we look at 2015 versus where we're at now.
00:19:56
Speaker
Personally, I hope that rates have bottomed in the current environment. Because I just see us, we went through the hard market, controls got a bit better, clean frequency maybe for a quarter or two was down. But I think a lot of carriers are getting
00:20:16
Speaker
I don't know, maybe a bit more aggressive than they should be. And we're going to start to see that curve go right back up in early next year, in my opinion. But it ultimately comes down to the degree of trust and transparency, in my opinion. Whether it's the relationship with the insured and broker and carrier,
00:20:41
Speaker
the how we underwrite and assess risk, right? Because we're all operating in a fog right now. And people dismiss, I think, how difficult it is to be a cyber broker or underwriter. You need some IT, cyber security, insurance, right? It is a lot. And, you know, it's impossible just to stay up on everything cyber security related, nevertheless, right, all the other components.
00:21:08
Speaker
Yeah, you, you made a lot of really good points there, Steve. Um, I, unless Abe, I don't know if you had something specific you're about to ask there, but like you just said trust and transparency there, like it's so true. You know, it really does come down to like, Hey, who can make the best guess, but like using, uh, those values of trust and transparency, like how.
00:21:33
Speaker
How do you see brokers being able to provide that type of information to carriers, you know, whether it be specifically through what you guys are doing over at safe or just in general? Yeah.
00:21:49
Speaker
Yeah, real quick, Steve, go ahead and take the opportunity to explain to everybody what SAFE does.
Role of SAFE Security
00:21:58
Speaker
Because I realize we probably missed that part. Yeah, no, absolutely. Yeah. So SAFE security is a leading cyber risk quantification and management solution, predominantly targeting and serving the Fortune 1000.
00:22:14
Speaker
So we're selling two Fortune 1000 CISOs and CIOs, customers like ADP, Discover Financial, Munich Re, KFC, and the like. And I'm going to just take a step back for a second in terms of what was the original problem we were solving and how did we get here.
00:22:32
Speaker
Um, you know, and just, uh, just for context for everybody that we, you know, product has been in market now coming up on year three, we've raised a hundred million dollars today and growing 200% year over year. Uh, and recently just a acquired risk lens and the fair Institute.
00:22:50
Speaker
Um, which is like the grandfathers and the only recognized standard for cyber risk quantification. Um, so it's, uh, an exciting, exciting time, right. And, uh, an opportunity, you know, with, you know, with safe and the problem that we're solving.
00:23:06
Speaker
You know, your given enterprise has got 25 to 100 plus cloud, SaaS, and cybersecurity products, right? And we're continuing just to move in in this direction. Cybersecurity is what, $180 billion a year industry growing 20% year over year? Yes, we still can't answer core fundamental questions.
00:23:30
Speaker
Whether it's to our carrier, to our board, to our broker, around how likely are we to get breached over the next 12 months? Well, how much could that event cost us? What about a ransomware event versus specifically a data breach? And CISOs didn't need another solution to detect or prevent. There's thousands of them out there.
00:23:51
Speaker
What didn't exist was a solution which was able to ingest and correlate all of the telemetry and signals across an organization's cloud, SaaS, and cybersecurity stack into a single dashboard, single source of truth, which in our case provides three core outputs of what is the organization's real-time breach likelihood at a macro organizational level, but also specific to different threats.
00:24:18
Speaker
Same for output number two, which is converting those bits and bytes to dollars and cents and quantifying cyber risks. And third, and in my opinion, the most important outcome is the degree of continuous and prioritized recommendations and action items.
00:24:35
Speaker
Because where we're identifying, based on the gaps that we've identified, whether it's this one asset from Amazon doesn't have MFA or there's some misconfiguration, all the way up to this company doesn't have an EDR solution in place.
00:24:53
Speaker
where we're helping to prioritize, right? Investing in which gaps is going to have the biggest impact in burning down your financial risk and, or, you know, reducing your brief likelihood. And, and that's where, you know, really moves this from just beyond, like, if all we can do is quantify cyber risk, then it stops there.
00:25:15
Speaker
It becomes more of a point in time, quantitative assessment versus thinking about how do we use quantification as an underpinning mechanism to manage risk more effectively or underwrite risk more effectively. And that's really right where that third layer comes in of the ongoing continuous insights, because where we're helping companies now,
00:25:39
Speaker
Get out of this, say, your SecOps team who's logging into CrowdStrike on Monday morning to see, you know, which one of these thousand logs do I need to prioritize? We're helping them prioritize, well, you know, should I resolve the issues in CrowdStrike or Microsoft and that? What's going to have the biggest bang for our buck?
00:25:58
Speaker
Um, right. And, you know, and providing the communication layer, uh, so that, you know, the technical leaders and your CISOs can translate to the board, to the CFO right into what we're doing within insurance. Um, and, and just would only add that.
00:26:15
Speaker
It was driven from our core customer demand, our CISOs and CIOs who felt the pain of the last two to three cyber insurance renewal cycles is what drove safe into insurance. Given the quantification, the degree of insight, the continuous nature of what we're doing, how can we help them secure more competitive terms on their cyber insurance?
00:26:38
Speaker
Yeah, coming back to the trust and transparency component, how can we help our customers get rewarded for the investments that they've been making in their security posture? And that's really the nexus for safe, and certainly here within the insurance industry, and really an opportunity to provide a lot more value to the end customers, but also I think
00:27:05
Speaker
to the insurance industry and how we start to really understand this risk, quantify it, price it, the implications for aggregate and accumulation risk management, and what I believe is hopefully the next generation of underwriting as we look at 2025.
00:27:24
Speaker
Yeah, I'm Steve. I've seen like a brief thing of the, you know, brief overview of SAFE's platform and you guys have something that nobody else has. Like what you're saying about being able to absorb all this information and have it quantified and have these consolidated outputs
00:27:48
Speaker
And the way you put it as well, they don't need another tool. They just need to be able to absorb all the information from all their tools or all their cloud environments, whatever it be, and get a number or get an understanding of where they stand or what would it cost if a breach happened.
00:28:06
Speaker
That is huge, not only for the CISO, but for an insurance program, for a carrier. Like it really does create a single translation for everybody to look at, right? Like that nobody got the industry needs and nobody else has.
00:28:25
Speaker
There's no question, Ryan. I love the use of translation layer. I use that terminology all the time. It's really what we're doing. And I know there's a variety of different approaches in terms of this whole inside out notion.
00:28:45
Speaker
and different approaches for different segments, which have different pros and cons. In our space, we're a bit more focused on mid-market and enterprise. I feel like we have to be in a position to integrate across existing solutions versus try to enforce the customer to use a solution.
00:29:13
Speaker
of ours and that opens up some other potential liabilities and concerns. But yeah, at the end of the day, it just comes down to, again, providing that transparency, that trust. But also, how do we collaborate within the insurance industry to incentivize customers to share more of this data? But also coming back to your original question right around
00:29:42
Speaker
how can brokers, whether with safe or just more broadly, think about driving that trust and transparency.
Partnerships in Cybersecurity
00:29:54
Speaker
Of course, I am obviously always a little subjective to safe, but
00:30:00
Speaker
You know, to me, it's part partner with the right, uh, you know, leaders in cyber risk, in cybersecurity, if you will. Right. And, and build on top of that with your insurance capabilities in Acumen. So that one plus one equals three. Right. And I say that for a couple of reasons, you know, a.
00:30:19
Speaker
Not every company trusts their insurance partner, whether it's your broker or carrier as their cybersecurity advisor or as a tool they created versus a recognized security company in that regard. We touched upon this earlier, but part of the issue with
00:30:49
Speaker
How do I say this? I think part of, we've gotten in this scenario where, you know, every, if you look at all the large brokers, they all have their own questionnaires, right? And various different services and whatnot, where, you know, I wish we could, as an industry, just get a bit more aligned with, you know, like, Hey, organization, you've already completed a NIST assessment as well.
00:31:11
Speaker
share that NIST audit with us. Don't go through a whole new application process, you know, and yes, we could do inside out and whatnot in addition to it, but get us around some degree of uniformity, uh, where we're not, you know, just coming in with our, our subjective perspective with our questionnaire, right. And, you know, and very qualitatively aware where we're leveraging, you know, the leading frameworks and tools in the security and cyber risk domain.
00:31:41
Speaker
And really also, I think the key now is being able to take a data-driven approach, right? Being able to really help your customers, you know, determine what are appropriate limits and the limit adequacy, right? With at least just having an under-
00:31:58
Speaker
a confident understanding in their potential financial exposure. And that's just at a high level, some of my thoughts, but I think we're better served if we partner together versus try to build everything ourselves and then just potentially add more confusion to the end customer, because it just stays within the insurance vertical. It's not more broadly dispersed across security.
00:32:28
Speaker
Yup. Completely agree. And then you saw Abe and I laughing when he said Niffs because him and I have talked about that at length. We have like a venting conversation at night. Niffs just be accepted. Why? Why?
00:32:44
Speaker
Every, and Eddie, any prize who's gone through it is going to love that process. I'm like, oh yeah, at worst I have to just like translate this, our nystic cell into this different nystic cell format, you know, but it keeps us all aligned to a standard. We, there's so much more we could do in analyzing modeling the data. You know, we have all these talks and, you know, I have a talk at the xi wave conference on, uh, you know, cat and systemic risk.
00:33:14
Speaker
How are we ever really going to understand our systemic and aggregate risk if A, we don't get some inside out telemetry, but B, we don't have any uniformity across carriers and underwriting. I can't tell you how many reinsurers I've met with where they're like, we're lucky if we get the actual company name in a monthly border row. It's like all theoretical modeling.
00:33:44
Speaker
Yeah. See, uh, as far as inside out underwriting, I'm just, I'm kind of curious what you, and it might not be an either or, I don't think it is an either or, but just in your, your experience when we're passing this data through to underwriters.
00:34:09
Speaker
If you had to prioritize one, is it control validation? Let's try to validate controls. I think of travelers and obviously what happened in the last couple of years with the MFA there. Or is it giving carriers access to more vulnerability data? Which should be prioritized if you can give an answer to that? And which one do you think kind of moves the needle more?
00:34:38
Speaker
Really, really good question. A quasi-loaded, so you know it was a good one. So it depends.
00:34:50
Speaker
It definitely depends on what's the ultimate end infrastructure at the end customer. But I would think about it in a continuum. And because we're pushing inside out through insurance, which is different than an enterprise who wants inside out 24-7, wants to integrate everything in their environment.
00:35:13
Speaker
So with saying something through insurance, I think about it in the way where we want to lead with public cloud, right? And that's a configuration assessment, right? And so where we think of, you know, and so if you're a company that's either cloud native or predominantly hosted in the cloud, whether that's one, two, three, we can do, you know, one integration to API integration to that cloud environment or, you know, to your Azure and AWS.
00:35:42
Speaker
And from just that four-click process and the output that comes with it, have very high confidence in terms of our analysis and understanding of your environment versus if a company only had 10% of their environment in Amazon and we integrate it to Amazon, then we only know 10% to 10%.
00:36:03
Speaker
So I think about starting there, but that being said, then it's, well, what are the additional data points that really drive the needle? And that's where you get into your configuration assessments, like a QALIS for any on-prem assets, but definitely your vulnerability assessments.
00:36:23
Speaker
Whether that's within SAFE, you can upload a vulnerability report, or if you're using a provider that we haven't done an API integration yet for the real-time perspective. But that's bringing in, and had our first risk go through with one of the larger carriers in the market this past week,
00:36:46
Speaker
Um, and was really, you know, was a very positive, which, which was awesome, but was really illuminating to get their perspective and hear back, right. That how like, uh, you know, this, this customer was not in the clown, um, you know, but one of the integrations they did was a vulnerable, their vulnerability assessment tool.
00:37:04
Speaker
And just hearing like, this is information that we can't otherwise get. They've run all their tools, the external attack surface monitoring, the outside in. But to actually be able to see that there's these five assets that have these high critical vulnerabilities, which Dave's already identified internally as high critical vulnerabilities,
00:37:32
Speaker
paramount, right? It's just like a whole new degree of insight that they don't have, that they haven't previously had, where a lot of the work now is helping, you know, carry underwriters, brokers, understand, well, what is most meaningful, right? What does move the needle the most to your question name? And look, I could tell you outside in moves the needle the least.
00:37:58
Speaker
And look, we support it as a coordinated capability. And actually looking at the data day over day, it truly does move the needle the least. It's like a stagnant line almost for the most part. But it really, yeah, I think about it in those different categories of cloud, vulnerability, configuration, EDR tools, and then your SaaS solutions would sort of be last in that regard.
00:38:30
Speaker
Sorry, it was a long-winded, long-winded answer. No, it's great. It's really good. What's interesting is
00:38:46
Speaker
You know when you're talking about moving the needle stuff and how outside in is like Least yeah, it moves the needle the least right if we could create a graph and it was like moves the needle the least moves the needle needle the most
00:39:02
Speaker
The stuff that carriers are currently using to underwrite risk is in the least move the needle in the least section.
Challenges in Methodology Adoption
00:39:12
Speaker
A lot of it has to deal with the data science and absorbing information and quantifying that on their end. So it's all the carriers out there. We're not attacking.
00:39:23
Speaker
No, no. Look, it's a tough problem. In some regards, the insurance industry is like the Benjamin buttons of innovation sometimes. And I've just seen in my engagement, it's very hard for a large incumbent carrier to unplug the existing methodology, the existing pricing, rating approach.
00:39:52
Speaker
Um, and it's, it's a significant exercise, right? To try to get the team aligned, right. Unplug then, you know, test on, on whatever integration is, you know, or, or update, you know, to the overall underwriting, you know, a methodology and approaches that's being taken. Um.
00:40:11
Speaker
But it's been interesting. Now, as some of our closer partners, but some of the partners like some of the bigger carriers that we're just getting through our first risk together.
00:40:27
Speaker
Um, has been very illuminating for, for both sides, right. Cause they're now getting a chance to really see, well, E and like the type of insights that that inside out delivers. And to your point, Ryan, like MFA, right. Within a minute, uh, doing, of doing that AWS or Jor and integration, right. If you have 5,000 assets, we can see exactly, you know, the seven that don't have MFA and the varying degrees of MFA. Cause there's like eight degrees of it.
00:40:57
Speaker
You just can't find that out from the outside.
00:41:02
Speaker
So how do we drive sort of this change management, but also, as we start to get enough data, use this objective telemetry to reduce the increasing ransomware supplemental app. And really only have those core questions that we need to ask that we can't answer from a machine. Like I can't know if you tested a BCP plan through an integration.
00:41:31
Speaker
Yeah. The survey does have some type of function of filling in those programs. There is still going to be a function of something. There is. Absolutely. Whether that be actually through PDF or inputted within a safe, secure portal is one thing.
00:41:53
Speaker
I actually love those dynamic PDF applications. I'm not going to name any names. Yeah, not one is tough. For me, Steven, me and PDFs. I tell you what, just speaking on that point real quick, when I was a broker, the one thing I couldn't stand
00:42:18
Speaker
or was more like mind blown, I would get emails and it would be an Excel file of 50 employees and their date of birth, their social security numbers.
00:42:31
Speaker
And I was just giving it to him. And then I would broader during the underwriting. Yeah, exactly. Their, their accounts, you know, their accounting team sends it. Hey, sad to send this to you in isolation. The rest of the team isn't allowed to see it. They're like, dude, this is so sensitive. They're just emailing it.
00:42:52
Speaker
And then on top of that, we show out our whole cybersecurity infrastructure, our data backups, who we use as our cloud, our full information in a PDF, send it in an email. It's like, might as well give them a prescription of like, hey, here is my whole infrastructure. Just take a look and the vulnerability associated with it. Exactly. Because what do they do?
00:43:17
Speaker
The companies were actually then taking that data from each application and putting it into some BI system to model everything. That's far and see between and definitely not the most efficient way to get there. Yeah, right. But what do you guys see? What are some of the biggest frustrations that you guys are facing in the industry out of curiosity, whether with customers or with carriers?
00:43:46
Speaker
Abe, I'll let you take that one first. I already have some stuff in mind. I think we've spoken about, honestly, most of them that are top of mind for me.
00:43:56
Speaker
The application thing to me is, I talk to a lot of people obviously in the industry and a lot of people are focused on making things easier. And I get that to an extent, but we already have cyber. I think honestly, cyber is too easy right now. There should be
00:44:18
Speaker
Just the way with things are set up, there should be a little bit more information gathering. Underwriting should take a little bit longer. We shouldn't be underwriting via API, in my opinion. We've seen this on the smaller side of things when it still is within underwriting guidelines for small business. There's classes of business that we can get put
00:44:44
Speaker
through that really should have certain exclusions, but because it's going through an API and they're asking no questions, we're able to bypass those things. So there's a lot of recklessness there, but a big one that I've been thinking about is obviously the application process. How can we ingest a CMMC audit?
00:45:08
Speaker
If that's good enough for the Department of Defense and there's a third-party auditor that has to get licensed to verify this data, I can't even take one cyber application to another carrier, much less a nationally adopted framework. Then another thing that I think frustrating is
00:45:33
Speaker
The cyber risk quantification part of things, you know, a lot of it, it seems to be just based off of benchmarking and the benchmarking sucks and it's based on just terrible data. A lot of it's just, you know, the best we can do in terms of risk quantification is like, you know, for this revenue size in this industry, other brokers placed this business with $3 million limits. And it's like, what are we doing? So I'm kind of curious.
00:46:04
Speaker
on those lines, like for the risk quantification side of things. And this is an area that I feel like I'm lacking. I wouldn't know how to explain it to a five year old, how we quantify cyber risk. And I feel like you might be the guy that could.
00:46:21
Speaker
Uh, that, that's a good one. How do we explain it to a five year old?
Defining Cyber Risk
00:46:27
Speaker
Um, because it, and look, it's right. As I said earlier, right. But there's one certainty, there's no certain piece, you know, and, uh, at the end of the day and, and here's the problem, right? The definition of risk in this regard is, uh, you know, the probability of loss of vent frequency and loss of vent magnitude.
00:46:47
Speaker
that could be a little simpler in and of itself, in terms of what that means. When I think about cyber risk quantification and definitely the pains that you've expressed, Abe, look, I think part of the issue that the industry's had for a while is that there were models for the sake of models. You had a lot of different companies just coming to market or whatever it may be, and then we're all a black box.
00:47:16
Speaker
Right. Which would say, Hey, you know, you could have an event which costs you between 50 to $500 million and take our word for it. Right. Well, you know, what's actually the data that's sitting behind that. Right. And, uh, you know, and we're like, what we've done at safe is, you know, we built a fully bottoms up transparent and tunable cost model. So.
00:47:37
Speaker
So whether it's at the end organization level or with our insurance partners and being able to tune the model with a claims feedback loop, we actually welcome an enterprise to disagree with the quantification output because they can point to exactly where and why.
00:47:58
Speaker
And in our case, it's all based off of empirical data that we've gathered more than 500,000 data points across more than 5,000 attacks. And to your point, Abe, I'm not going to name names, but the data from one of the leading cyber risk analytics data providers in the market
00:48:22
Speaker
doesn't really, that type of data doesn't provide any context for us because it's so high level. It's like, Hey, this company had an event would cost a hundred million dollars. Well, I need to know how much of that was BI versus IR, right? And, and further, like what type of event, what were the actual techniques that were used to, to execute this event? So all of our data is built, you know, where we've been able to get those micro cost elements. Uh,
00:48:50
Speaker
The inputs from the SMEs like your IR firms and the different rates that they're charging, the average expected number of hours for different things. But I think there's never going to be a right answer for quantifying cyber risk. We'll never be able to be like, for this scenario, this is exactly the risk.
00:49:17
Speaker
The degree, and we've seen with our backtesting, that the variance between our prediction and what's actually occurring is getting smaller and smaller. And I think the key is enabling, and what I love about the integration we have with FAIR now, FAIR is an open standard. 15,000 members and historically has had very little engagement with the insurance community.
00:49:43
Speaker
So I'm excited for us to engage in that regard. But it's an open framework. You can see all of the underlying data. So there's at least
00:50:00
Speaker
there's at least a narrative there, right? Where before it was just take our word for it, right? And there's also like, you know, we see these gaps, but these, we can't tell you how to resolve them, you know? And then I've also seen, um,
00:50:15
Speaker
Uh, look, we were, um, uh, we, we did launch, uh, or we considered launching an MGA last, last year, uh, right. When safe as we were, you know, exploring different paths to
Launching an MGA and Market Practices
00:50:27
Speaker
market here. Uh, and we got capacity from, uh, one of the leading reinsurers in Germany to launch a program in Germany. Um, and I, I, in that process, I had to create a portfolio that they were going to model right with their, their, their loss modeling, uh, solution.
00:50:45
Speaker
Guys, it was the most theoretical exercise I've ever seen. I literally, I just put company one to company 250 in an Excel. I was like, okay, here's their safe score and here's their revenue, arbitrary premium, like 4K, 6K, 8K. And then they ran the scenarios, but it's like,
00:51:05
Speaker
They're like, your probable maximum loss is around this number, which was based on a scenario of 30% of our retail customers having some POS outage. Again, that might happen.
00:51:27
Speaker
We don't even know what POS provider somebody's using, right? And it's just pure theory in that regard. Yeah, that's crazy. And it kind of speaks to, I've also had some alarming conversations like that where you're a little confused, not confused leaving, but you're like concerned, I guess.
00:51:52
Speaker
Um, and, you know, I was talking to this, uh, to this carrier and he basically, the representative, he basically was like, yeah. Um, you know, if they're under a hundred million in revenue and they answer yes to MFA, you know, we put them in a bucket of like, they're good to be unreal. They're better than no, you know, if they answer yes to MFA, that means they have some type of cybersecurity knowledge. And I'm like.
00:52:18
Speaker
Are you kidding me? That's where, that's the analyzation. That's the, that's the, the method you're using to decide if it's a good risk or a bad risk is like, yeah, I guess something's better than nothing.
00:52:32
Speaker
Or that they know how to answer like a questionnaire to get better terms on insurance. It's like applying to a college where if you can sign the bottom line, like you're, you got an offer. Exactly. I think didn't we all get like points on our ass eight needs for spelling her name, right?
00:52:52
Speaker
So yeah, that's pretty crazy that you guys went through that process. And that was the, you know, it was, it was really interesting, right. Cause it's, uh, especially when, when I see what we're building, like on the aggregate.
00:53:07
Speaker
risk side, where it's based on where we capture right now more than 3 billion signals a day, on average more than 3 million per customer. And it's these signals that give us really interesting data from pricing, accumulation, aggregation, to really see what are the top
00:53:32
Speaker
25 vulnerabilities or misconfigurations across this solution within this portfolio, for argument's sake. And that's, you know, it's not just going to be, as an industry, I'm hopeful we can all head in this direction.
00:53:48
Speaker
And I think a lot of us and like us here today are waking up or are woke, I guess, as the kids now say. And we just need to keep driving the right change here. It's the right thing for us to have a sustainable market and insurance.
00:54:12
Speaker
But also, you know, a customer that wants to buy the product insurance is sold. It's not raw, right? We don't wake up on Sunday, like let's go buy insurance. That sounds, that sounds good. I put my girlfriend to sleep talking about insurance.
00:54:30
Speaker
Oh, God. If I'm at like, granted, I'm not at many parties these days, but if I want to quickly end a conversation, tell someone I'm in cybersecurity insurance. You're looking like, what is that? What? Conversations just like a walking Xanax, man. That's not totally out. Yeah. Yeah. Cybersecurity insurance. Yeah, bro. Okay. So we'll talk to that sniv guy guy.
00:55:00
Speaker
As we kind of wrap things up here what so I feel like it's hard it's hard to listen to the conversation here and maybe it is hard but but to me it's not hard to listen this conversation and think
00:55:16
Speaker
What Steve is talking about makes sense, and this is the way that things should be done. I think a lot of people on the brokerage side would agree. I think a lot of people are starting to wake up to this idea that the way that we currently underwrite risk is not
00:55:35
Speaker
sustainable and maybe it's propped up by some VC funding on the InsureTech carrier side of things. That's not to say that VC is bad in and of itself. I just think in that setting, it can be misused.
00:55:52
Speaker
What is the call to action here? How can people start to, whether that's a half step or are going full fledged into safe and into inside out underwriting and just doing things the way that they should be done? What's the call to action?
00:56:11
Speaker
Yeah, really, really interesting question, Abe. So in some part, I think it probably depends on who the stakeholder is, right? Is it the customer, the broker, the carrier? But even still, it ultimately starts with like, you know,
00:56:26
Speaker
What's the starting point on this continuum? We're all used to at least the outside in assessments at this point. That's commonplace. There's nothing new. There's some new providers who are skinning it in a different way, but to each their own.
00:56:43
Speaker
But we start there, now let's add a quantitative perspective on top of that, right? And, and, you know, from a quantitative side, we have the majority, when I say like we here, the majority of our primary applications capture the underlying data inputs that we need here, right? Certain impact controls, like offsite data backup, you know, the number of records, revenue, you know, and certain variables like that. But.
00:57:11
Speaker
where now we have a quantitative lens, right? And can either we're leveraging that as an underwriter to see what's the right attachment point on this risk, right? Or as you're having a conversation with a customer on what are appropriate limits, right? And then from there, I think about, okay, let's start to drive towards NIST, right? So like what we've done with Mosaic,
00:57:35
Speaker
Since we have a tight partnership, we're powering their primary and access cyber underwriting, we enable the end customer to choose between the smaller cyber insurance questionnaire or NIST CSF. And right as they've already done a NIST CSF assessment or audit, upload that via Excel into the platform, we'll fully score the information, and that's your application.
00:57:58
Speaker
That also provides meaningful insight to the end customer because it's now not just a NIST assessment for the purpose of a NIST assessment, but it's going to take that NIST assessment and quantify where you stand relative to that, and then ultimately the inside out integrations. What we see is
00:58:21
Speaker
Once somebody actually even sees the process, it's literally four clicks of a button and takes like 10 minutes.
Simplifying Inside-Out Integrations
00:58:29
Speaker
No agents have to be downloaded or installed. It really is about this change management. We need to drive and adapt around this new process. It's definitely not a more difficult or onerous process.
00:58:46
Speaker
And really, I think it's fair to say in the insurance industry is definitely a lot more open and wanting to have these conversations than two years ago, and just absolutely thinking customers weren't willing to. When I know customers are willing and wanting to, the key is just having the right, there's got to be an incentive.
00:59:09
Speaker
A reward, if I'm going to share more of this data, I should be rewarded more than the company who's not sharing this type of data. And that's where I think things become interesting. And we move beyond just the sale of a policy, but into more of this continuous risk management and partnership. If you can keep taking action on the recommendations and gaps that we've uncovered, in our case, increase your safe score,
00:59:38
Speaker
That keeps unlocking more incentives back from the policy, whether it's premium reductions in retention, coverage, a cybercrime reinstatement for argument's sake. And then you have a really unique relationship and stickiness.
00:59:53
Speaker
Right. Where, you know, you have the tech that's going along with insurance. Uh, but you know, is led by meaningful engagement on the CSO, but also speaking to the CFO and risk manager. It's, um, it's not easy, right? It's a very complex to get there. Right. And as we all know, but, um, that would be my, uh, my very, my complex called action work.
01:00:20
Speaker
I'll give you another one. I think the call to action is talk to Steve. Selfishly talk to, talk to Steve, talk to Sage and it's, and look, yeah, so much of this is awareness, right? Like, um, people, people don't know. I, I have a limited network, right? And it's, um, uh, and, and I think safe is doing a great job, you know, in our capability, technically.
01:00:46
Speaker
uh, versus where, um, where some others are, are, are at. And it's, it's cause we've just been focused here, right? You know, you know, for the last three years, um, but it's, uh, yeah, I will, I'll, I'll take you up on that.
01:01:03
Speaker
Well, awesome. Steve, we're coming up on an hour here. I feel like we could probably go for like three or four. We could. I would love to spend every Friday afternoon like that. We should figure something out. I have like a series. Yeah, right. We should. We should. Let's do it. I want to get my marketing team involved. They'd love it.
01:01:27
Speaker
Love it. Love it. Yeah. Maybe we also bring like a broker in it as well. Like a, like a, from a top 10 shop or something like that. Clever practice leader. Yeah. Really get some fun going. Awesome. I love it.
01:01:42
Speaker
Love the ideas. Again, thanks for coming on. This has been selfishly a lot of fun and I hope that you can find value in it. We're definitely going to have you on again. And yeah, where can people find you? Yeah. So Steven Schwartz or the Cyber Steve right on LinkedIn.
01:02:06
Speaker
Um, you know, my, my email is steven.s at safe dot security. Um, so a bit of a unique dome URL there, but, uh, yeah, just reach out on LinkedIn would love, love to connect. Uh, most importantly, thank you guys for having me today was, was an absolute blast and yeah, could go on, could go on for hours. Hopefully I didn't, uh, you know, didn't go too deep into any unique rabbit holes, but, um, okay. It's an exciting time to be in our market, right? You know, who.
01:02:36
Speaker
Who would have thought insurance, right? And cyber could be exciting, but it is. And there's so much opportunity, right? We're still so early ultimately in the evolution here. Let's just set the right foundation so we can capitalize on this for the whole ecosystem. Absolutely. So true. Love it. Love it. Thanks so much, Steve. Appreciate you guys. Thanks, Steve. Awesome. Thanks, Ryan. Thanks, Abe. Cheers, guys.